Skip to content

Instantly share code, notes, and snippets.

@chowder

chowder/README.md

Last active January 14, 2026 02:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save chowder/2ead734d60d84d4d15034fcce81aaaf9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save chowder/2ead734d60d84d4d15034fcce81aaaf9 to your computer and use it in GitHub Desktop.
Download ZIP
Exporting Microsoft Authenticator TOTP secrets
Raw
README.md

Background

Workplaces may enforce TOTP 2FA to be enabled Office 365 accounts, which require the Microsoft Authenticator app to be installed.

Regular TOTP applications (such as Aegis, Authy, or LastPass) cannot be used as Microsoft uses a proprietary scheme called phonefactor. Furthermore, the application requires Google Services Framework (GSF) to be installed (likely to provide device notifications), and will refuse to work when it is not present on the device.

Forunately, after the registration is complete, the underlying mechanism the app uses to generate TOTP codes is regular otpauth, and its secrets can be exported with a little bit of effort.

Extracting the keys

  1. To extract the keys, a complete registration must first be done with a rooted Android device. I used a virtual Android device created with Android Studio's Device Manager.

  2. Once complete, an SQLite database storing the keys can be found on the device at:

    /data/data/com.azure.authenticator/databases/PhoneFactor

    (accessing the /data partition is what requires root)

  3. ADB can then be used to connect to the device/emulator, using its bundled sqlite3 tool to view the database:

    $ adb root  # Ensure we run as the root user 
$ adb shell  # Launch a shell as the root user 
emu64xa:/ # whoami
root 
emu64xa:/ # sqlite3 /data/data/com.azure.authenticator/databases/PhoneFactor  # Connect to the database file
sqlite> SELECT name, username, oath_secret_key from accounts;
GitHub|Chowder@github.com|w0swofa8wl02vqml0pkbzphvp54zyx5x

    The 32-length string in the oath_secret_key column can then be imported into any TOTP application.

@diffs
Copy link

diffs commented Aug 3, 2024

I was trying to go down the route of intercepting Authenticator's web requests with Fiddler and disabling SSL with Frida to try to get the keys as they're being synced into the emulator.. but turns out this is way easier lol.

Thanks!

@CerebralDatabank
Copy link

CerebralDatabank commented May 11, 2025
edited
Loading

Thanks for this guide; this still works in 2025! Just wanted to say that and add some extra steps that I took:

  1. I created a normal emulator image with Google Play Services and rooted it with the rootAVD tool (InstallKernelModules option), as in one of the above comments.
  2. I signed in with Google into the Play Store, installed the Microsoft Authenticator app, and restored the backup.
  3. I used adb shell to copy the MS Auth's app's folder in /data/data to /sdcard, then used adb pull to copy it to my computer.
  4. On my computer, I ran the following commands: 
    > cd com.azure.authenticator\databases
> sqlite3 PhoneFactor
sqlite> .headers on
sqlite> .mode csv
sqlite> .output accounts.csv
sqlite> SELECT * FROM accounts;
sqlite> .quit
  5. I created two Node.js scripts to work with the resulting CSV:
    • conv.js
      This reads the CSV and writes a plain text file with a list of otpauth:// URIs. This can be imported into other authenticator apps (sometimes indirectly, e.g. plain text β†’ import to Aegis β†’ export as Aegis β†’ import into Bitwarden Authenticator)
    • show-qrs.js
      This reads the list of otpauth:// URIs and shows the QR codes in the terminal one-by-one for apps that I wasn't able to import into (e.g. Google Authenticator)

@jneidel
Copy link

jneidel commented May 13, 2025
edited
Loading

Works great. Thank you, the people above me, for writing it up!

These were my full steps to do this on MacOS. It's not complicated if you are familiar with the terminal.

  • $ brew install --cask android-studio
  • In android studio > Device Manger > New Device (pick any, I used Pixel 9)
  • run emulator once, shutdown
  • get https://gitlab.com/newbit/rootAVD
git clone https://gitlab.com/newbit/rootAVD.git
cd rootAVD
  • put this temporarily in .zshrc:
export PATH=~/Library/Android/sdk/platform-tools:$PATH
export ANDROID_HOME=~/Library/Android/sdk
  • reload shell (source ~/.zshrc)
  • locate system image: find $ANDROID_HOME -name "ramdisk.img" (./rootAVD.sh ListAllAVDs was suggested as an alternative)
  • run rootAVD FAKEBOOTIMG. rootAVD expects a img path relative to $ANDROID_HOME, so clean up the img path to start with system-images, like here:
./rootAVD.sh system-images/android-36/google_apis_playstore/x86_64/ramdisk.img FAKEBOOTIMG
  • rootAVD will tell you when you need to open Magisk in the emulator and press "Install > Patch file > Select file "/sdcard/Download/fakeboot.img", then press Enter in rootAVD
  • shut down emulator and cold reboot
  • on the emulator search for and install aurora from https://aurorastore.org, configure, use Anonymous account
  • in Aurora install Microsoft Authenticator and set up your 2FA
  • $ adb shell
  • inside run:
su
# grant the Magisk request in the emulator
whoami #==> root (success)
cd /data/data/com.azure.authenticator
cp -r databases/ /sdcard/Download/
  • on your machine
adb pull /sdcard/Download/databases
cd databases
sqlite3 PhoneFactor

# inside sqlite
.headers on
.mode csv
.output accounts.csv
 SELECT * FROM accounts;
.quit

# back in shell
cat accounts.csv | cut -d, -f6
#=> oath_secret_key
#=> ______________ (your secret)
  • open KeepassXC, right click db entry, setup TOTP, paste secret
  • test that 2FA works

@thefyfy
Copy link

thefyfy commented May 13, 2025

Thank you @jneidel πŸ™
Am I missing something at this step ? 🧐

jeremy@MacBook-Air-de-Jeremy-2 rootAVD % find $ANDROID_HOME -name "ramdisk.img"
/Users/jeremy/Library/Android/sdk/system-images/android-36/google_apis_playstore/arm64-v8a/ramdisk.img
jeremy@MacBook-Air-de-Jeremy-2 rootAVD % ./rootAVD.sh /Users/jeremy/Library/Android/sdk/system-images/android-36/google_apis_playstore/arm64-v8a/ramdisk.img FAKEBOOTIMG
rootAVD A Script to root AVD by NewBit XDA

Usage:	rootAVD [DIR/ramdisk.img] [OPTIONS] | [EXTRA ARGUMENTS]
or:	rootAVD [ARGUMENTS]

Arguments:
	ListAllAVDs			Lists Command Examples for ALL installed AVDs...

rootAVD does nothing....

@jneidel
Copy link

jneidel commented May 14, 2025
edited
Loading

@thefyfy yes, rootAVD does not want the absolute path to the image, but one relative from $ANDROID_HOME. I clarified this above. In your case:

# this
./rootAVD.sh system-images/android-36/google_apis_playstore/arm64-v8a/ramdisk.img FAKEBOOTIMG
# not this
./rootAVD.sh /Users/jeremy/Library/Android/sdk/system-images/android-36/google_apis_playstore/arm64-v8a/ramdisk.img FAKEBOOTIMG

This tripped me up too πŸ˜„

@elnappo
Copy link

elnappo commented Oct 24, 2025
edited
Loading

Thanks @jneidel works for me with a few remarks:

  • You can use ./rootAVD.sh ListAllAVDs to get the command which I think is easier then your find command
  • ./rootAVD.sh system-images/android-36/google_apis_playstore/x86_64/ramdisk.img FAKEBOOTIMG only works for me if the simulator is running, in your guide step 3 is to shutdown the simulator
  • the sqlite changed, it's now field 6 so cat accounts.csv | cut -d, -f6

Tried to simplify it a bit:

brew install --cask android-studio
# Create an emulator with PlayStore in Android Studio
git clone https://gitlab.com/newbit/rootAVD.git && cd rootAVD
./rootAVD.sh ListAllAVDs
./rootAVD.sh <use path from above> FAKEBOOTIMG
# follow instructions to root the emulator
# wait for the emulator to shutdown and do a cold boot
# Install Aurora Store from https://auroraoss.com/aurora-store (lots of shady ads) or via F-Droid (https://f-droid.org/), install Microsoft Authenticator and setup your account
adb shell
su
# allow request in the emulator
whoami # should return root
cp /data/data/com.azure.authenticator/databases/PhoneFactor* /sdcard/Download/
exit
exit
# now back on the host
adb pull /sdcard/Download/PhoneFactor
adb pull /sdcard/Download/PhoneFactor-shm
adb pull /sdcard/Download/PhoneFactor-wal
sqlite3 PhoneFactor "SELECT name, username, oath_secret_key from accounts;"

@kitsumed
Copy link

kitsumed commented Dec 20, 2025

If anyone want more detailed steps, I documented how I did it here: https://kitsumed.github.io/blog/posts/extracting-totp-tokens-from-microsoft-authenticator/

@TSlivede
Copy link

TSlivede commented Jan 2, 2026

My two cents:

BlueStacks & WSL instead of Android Studio & rootAVD (no rooting required)

In case you already have BlueStacks & WSL installed (IMHO much more likely than Android Studio πŸ™‚) you can do this instead to extract the PhoneFactor database:

  • Ensure cloud Backup in your Microsoft Authenticator is enabled.
  • Install Microsoft Authenticator in Bluestacks
    • Select Restore from Backup when opening first time (don't login and then try to restore.) - See picture in post from @kitsumed above.
  • If you can now see your TOTP codes in Microsoft Authenticator in Bluestacks then
    • close Microsoft Authenticator (maybe even force close?)
    • wait a minute (to ensure files have actually been written to disk - I don't know of any way to force a sync)
    • close/shutdown Bluestacks. (You can use BlueStacks multi instance manager to ensure, that it is completely stopped. I couldn't find any official reference if this really does shutdown the android instance or if it does some kind of hibernate - many people seem to assume it's shutdown, I was just wandering because I got a warning on mount, that the fs was not cleanly unmounted before. Everything still worked without a problem though...)

Now using WSL (default ubuntu distro) to mount the android instances rootfs and read the data via sqlite3:

sudo apt update
sudo apt install sqlite3 qemu-utils

sudo modprobe nbd
sudo qemu-nbd --connect /dev/nbd0 --read-only /mnt/c/ProgramData/BlueStacks_nxt/Engine/Pie64/Data.vhdx
sudo partprobe -s /dev/nbd0
mkdir /tmp/android-data-mount/
sudo mount /dev/nbd0p1 /tmp/android-data-mount/ -o ro,noload

mkdir /mnt/c/ms-auth-export
cd /mnt/c/ms-auth-export
sudo sqlite3 /tmp/android-data-mount/data/com.azure.authenticator/databases/PhoneFactor '.headers on' '.mode csv' '.output accounts.csv' 'SELECT * FROM accounts;'

sudo umount /tmp/android-data-mount
rmdir /tmp/android-data-mount/
sudo partprobe -d /dev/nbd0
sudo qemu-nbd --disconnect /dev/nbd0
sudo modprobe -r nbd

explorer.exe 'C:\ms-auth-export\'

Note that autocompletion for sqlite database path does not work for two reasons: (1) folder com.azure.authenticator is owned by a user unknown to WSL and has restrictive permissions and (2) file PhoneFactor does not end in .db so sqlite3's bash autocompletion pattern doesn't match.

You should now see accounts.csv

Microsoft account base64 eight digit code

As mentioned in @ChrisIdema's comment, Microsoft's own account uses an eight digit TOTP that is stored not as base32 but base64 and can be converted using python:

python -c 'import base64; print (base64.b32encode(base64.decodebytes(b"<base64 encoded MS secret>")).decode())'

Passwordmanagers with only a textbox for the TOTP secret might accept an URI like this to specify, that it is an 8 digit code:

otpauth://totp/Microsoft:username@outlook.com?period=30&digits=8&algorithm=SHA1&secret=<base32 encoded MS secret>

I specifically know that this works for Bitwarden/Vaultwarden.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment